b'February 2006\nReport No. 06-009\n\n\nFDIC\xe2\x80\x99s Guidance to Institutions and\nExaminers for Implementing the\nGramm-Leach-Bliley Act Title V and the\nFair and Accurate Credit Transactions\nAct\n\x0c                                                                                                  Report No. 06-009\n                                                                                                     February 2006\n\n\n                                      FDIC\xe2\x80\x99s Guidance to Institutions and Examiners for\n                                      Implementing the Gramm-Leach-Bliley Act Title V and the\n                                      Fair and Accurate Credit Transactions Act\n\nBackground and                        Results of Audit\nPurpose of Audit                      The FDIC has established rules and regulations and issued adequate guidance to\n                                      institutions and examiners for implementing the GLBA Title V provisions\nThe privacy and security of           related to the privacy and security of consumer information. These actions are\nconsumer information in\n                                      sufficient to address our prior recommendations. In contrast, some FACT Act\nfinancial institutions is regulated\n                                      provisions are still lacking rules and regulations.\nby Title V of the Gramm-Leach-\nBliley Act of 1999 (GLBA), the\nFair and Accurate Credit              Ten FACT Act provisions require compliance by FDIC-supervised institutions\nTransactions Act of 2003 (FACT        and rulemaking by the federal banking agencies, National Credit Union\nAct), and the Fair Credit             Administration (NCUA), or Federal Trade Commission (FTC). The FDIC,\nReporting Act of 1968 (FCRA).         jointly or in coordination with the other federal banking agencies and NCUA,\nThe FACT Act made many                has completed the rulemaking process for two of the seven FACT Act\nsubstantive amendments to the         provisions that require FDIC rulemaking. The FTC has completed rules and\nFCRA and covers, for example,         regulations for the three provisions for which it has rulemaking responsibility.\nidentity theft, consumers\xe2\x80\x99 access     The Act did not designate a lead agency for the five provisions requiring rules\nto credit information, enhanced       and regulations. The FDIC must coordinate with other federal agencies to issue\nconsumer report accuracy, and         guidance for the five provisions, but meeting timeframes for publishing the\nfinancial literacy. The statutes      regulations has proved to be difficult. Further, the FDIC had not issued final\nprescribe financial institutions\xe2\x80\x99     financial institution or examination guidance on those provisions where the FTC\nresponsibilities for protecting       had issued final rules and regulations and for so-called \xe2\x80\x9cself-executing\xe2\x80\x9d\nconsumer information and              provisions (require financial institution compliance but not rulemaking by the\nsharing it with other entities.\n                                      federal agencies).\nThe audit objective was to\ndetermine whether the FDIC            The lack of final rules and regulations could limit the effectiveness of the FACT\nprovided adequate guidance to         Act and reduce assurance that institutions are taking steps to prevent identity\nFDIC-supervised institutions and      theft to the extent intended by the Act. However, to some degree, the FDIC has\nexaminers for implementing the        mitigated that risk by issuing interim financial institution and examination\ndata privacy and security             guidance addressing all of the provisions that require such guidance.\nprovisions of the GLBA Title V\nand the FACT Act. The audit\nalso determined whether the           Recommendations and Management Response\nFDIC has implemented GLBA-\nrelated recommendations in            We recommended that the FDIC finalize the interim examination guidance that\nOffice of Inspector General           addresses FACT Act provisions and develop, in coordination with the joint-\nAudit Report No. 03-044, The          agency rulemaking committee, a more aggressive project management plan to\nFederal Deposit Insurance             expedite the issuance of final rules and regulations for all FACT Act provisions.\nCorporation\xe2\x80\x99s Progress in             The FDIC concurred with the recommendations and stated that it is fully\nImplementing the Gramm-               committed to, and is in the process of, developing and issuing financial\nLeach-Bliley Act, Title V -\n                                      institution and examination guidance. Also, as a member of the separate\nPrivacy Provisions, dated\n                                      working groups responsible for drafting each set of rules or guidelines, the\nSeptember 26, 2003.\n                                      FDIC has consistently made efforts to move the process forward and will\n                                      continue to promote expedited processes during 2006. Management\xe2\x80\x99s planned\nTo view the full report, go to        actions are responsive to the recommendations.\nwww.fdicig.gov/2006reports.asp\n\x0c                          TABLE OF CONTENTS\n\n\nBACKGROUND                                                                2\n\nRESULTS OF AUDIT                                                          3\n\nFINDING AND RECOMMENDATIONS                                               3\n\n  FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING GLBA TITLE V DATA                       3\n  PRIVACY AND SECURITY PROVISIONS AND FACT ACT\n  PROVISIONS\n\n       FDIC Rules and Regulations That Address GLBA Title V Provisions    4\n       FDIC Guidance That Addresses GLBA Title V Provisions               5\n       FDIC Rules and Regulations That Address FACT Act Provisions        6\n       Joint Guidance                                                     8\n       FTC Regulations Required                                           9\n       Self-executing Provisions                                          9\n\nCONCLUSION                                                               10\n\nRECOMMENDATIONS                                                          11\n\nCORPORATION COMMENTS AND OIG EVALUATION                                  11\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                            12\n\nAPPENDIX II: SUMMARY OF LAWS AND REGULATIONS                             16\n\nAPPENDIX III: VARIOUS FDIC ISSUANCES RELATED TO GLBA                     19\n              AND THE FACT ACT\n\nAPPENDIX IV: CROSSWALK OF FACT ACT PROVISONS TO                          20\n             FDIC RULES AND REGULATIONS AND RELATED\n             GUIDANCE\n\nAPPENDIX V: CORPORATION COMMENTS                                         34\n\nAPPENDIX VI: MANAGEMENT RESPONSE TO                                      36\n             RECOMMENDATIONS\n\nTABLE:                                                                    7\n    Status of Regulations and Guidance Issued for Fact Act Provisions\n    Affecting FDIC-Supervised Institutions\n\x0cFederal Deposit Insurance Corporation                                                                         Office of Audits\n801 17th Street NW, Washington, DC 20434                                                         Office of Inspector General\n\nDATE:                             February 24, 2006\n\nMEMORANDUM TO: Sandra L. Thompson, Acting Director\n               Division of Supervision and Consumer Protection\n\n\n\n\nFROM:                             Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                  Assistant Inspector General for Audits\n\nSUBJECT:                          FDIC\xe2\x80\x99s Guidance to Institutions and Examiners for Implementing the\n                                  Gramm-Leach-Bliley Act Title V and the Fair and Accurate Credit\n                                  Transactions Act (Report No. 06-009)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s implementation of the Gramm-Leach-\nBliley Act of 1999 (GLBA) Title V and the Fair and Accurate Credit Transactions Act of 2003\n(FACT Act). The audit objective was to determine whether the FDIC\xe2\x80\x99s Division of Supervision\nand Consumer Protection (DSC):\n\n\xc2\xbe provided adequate guidance to FDIC-supervised institutions and examiners for implementing\n  the data privacy and security provisions of the GLBA Title V and the FACT Act, and\n\n\xc2\xbe implemented the recommendations in Office of Inspector General (OIG) Audit Report\n  No. 03-044, The Federal Deposit Insurance Corporation\xe2\x80\x99s Progress in Implementing the\n  Gramm-Leach-Bliley Act, Title V - Privacy Provisions, dated September 26, 2003.\n\nTo address our objective, we assessed the FDIC\xe2\x80\x99s progress in implementing the GLBA\nprovisions related to the privacy and security of bank consumer1 data, and all of the FACT Act\nprovisions. This audit is the second in a series of audits planned to review the FDIC\xe2\x80\x99s\nimplementation of GLBA Title V and FACT Act provisions. Subsequent audit coverage of this\narea will include detailed reviews of examinations and supervisory efforts addressing the privacy\nand security of consumer information. Details on our objective, scope, and methodology are in\nAppendix I of this report.\n\n\n\n\n1\n  GLBA, Subtitle A, uses the terms \xe2\x80\x9cconsumer\xe2\x80\x9d and \xe2\x80\x9ccustomer.\xe2\x80\x9d GLBA, Section 509(9), defines \xe2\x80\x9cconsumer\xe2\x80\x9d as an\nindividual (or legal representative) who obtains, from a financial institution, financial products or services that are to\nbe used primarily for personal, family, or household purposes. The FDIC\xe2\x80\x99s Rules and Regulations, Section 332.3,\nimplements GLBA Section 509(11) by defining \xe2\x80\x9ccustomer relationship\xe2\x80\x9d as a continuing relationship between a\nconsumer and the financial institution that provides one or more financial products or services to the consumer that\nare to be used primarily for personal, family, or household purposes. This report uses \xe2\x80\x9cconsumer\xe2\x80\x9d unless, in the\nparticular context, \xe2\x80\x9ccustomer\xe2\x80\x9d would be more appropriate.\n\x0cBACKGROUND\n\nSince the early 1970s, the FDIC has recognized the significant risk associated with the potential\nfor data security weaknesses to disrupt bank operations, harm consumers, and undermine\nconfidence in the nation\xe2\x80\x99s financial system. The failure or misuse of technology can impact the\nsafety and soundness of an institution with sudden and severe losses or compromise the security\nof consumer financial information. Elements of risk in this area include a potential impact on the\ndeposit insurance funds if continued breaches in data security are not controlled. This issue has\nreceived increased public and congressional attention.\n\nThe security and privacy of consumer information in financial institutions is regulated by the\nGLBA, Fair Credit Reporting Act of 1968 (FCRA), and FACT Act, which amended the FCRA.\nThese statutes describe financial institutions\xe2\x80\x99 responsibilities for protecting consumer\ninformation and sharing it with other entities. The FDIC and other regulatory agencies establish\nregulations to implement the statutes and monitor compliance through routine supervisory\nprograms, including on-site examinations of financial institutions. DSC reviews financial\ninstitutions\xe2\x80\x99 compliance with: (1) GLBA privacy notice requirements through compliance\nexaminations and (2) GLBA and Fact Act provisions on safeguarding consumer information\nthrough information technology (IT) examinations. Supervisory actions for regulatory\nnoncompliance range from informal agreements and enforcement actions to civil money\npenalties.\n\nThe GLBA was enacted on November 12, 1999. Title V of the GLBA contains data privacy and\nsecurity provisions that prohibit financial institutions from sharing nonpublic, personally\nidentifiable consumer information with nonaffiliated third parties2 and require institutions to\nprovide notice of their privacy policies to customers and to safeguard the security and\nconfidentiality of consumer information. Finally, Title V delegates rulemaking and enforcement\nauthority to the federal banking and securities regulators, the Federal Trade Commission (FTC),\nand state insurance regulators.3\n\nThe FCRA establishes standards for collecting and disseminating data by consumer reporting\nagencies (CRAs).4 The primary purpose of the FCRA is to regulate the nationwide consumer\nreporting system to help ensure the accuracy and security of consumer reports.5\n\n2\n  The GLBA requires financial institutions to provide notices describing the type of information they intend to share\nwith third parties and how customers may "opt out," or say "no," to information sharing under certain circumstances.\n3\n  According to section 3 of the Federal Deposit Insurance Act, \xe2\x80\x9c[t]he term \xe2\x80\x98Federal banking agency\xe2\x80\x99 means the\nOffice of the Comptroller of the Currency, the Office of Thrift Supervision, the Board of Governors of the Federal\nReserve System, or the Federal Deposit Insurance Corporation.\xe2\x80\x9d\n4\n  FCRA, Section 603, defines \xe2\x80\x9cconsumer\xe2\x80\x9d as \xe2\x80\x9can individual.\xe2\x80\x9d Also, FCRA Section 603 defines the term \xe2\x80\x9cconsumer\nreporting agency\xe2\x80\x9d as \xe2\x80\x9cany person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly\nengages in whole or in part in the practice of assembling or evaluating consumer credit information or other\ninformation on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means\nor facility of interstate commerce for the purpose of preparing or furnishing consumer reports.\xe2\x80\x9d\n5\n  FCRA, Section 603, defines "consumer report" as any written, oral, or other communication of any information by\na consumer reporting agency bearing on a consumer\'s creditworthiness, credit standing, credit capacity, character,\ngeneral reputation, personal characteristics, or mode of living, which is used or expected to be used or collected in\nwhole or in part for the purpose of serving as a factor in establishing the consumer\'s eligibility for: (1) credit or\ninsurance to be used primarily for personal, family, or household purposes; (2) employment purposes; or (3) any\nother purpose authorized under section 604.\n\n\n                                                         2\n\x0cThe FACT Act was signed into law on December 4, 2003. One of its primary purposes was to\namend the FCRA to make several expiring federal preemptions permanent, in response to\nindustry concern that state or local laws might interfere with the continuity of the credit reporting\nsystem. In addition to the federal preemption, the FACT Act also made many substantive\namendments to the FCRA to address issues raised by industry and consumer advocates. In\nresponse to industry concerns, the FACT Act preserves and expands uniform national standards\nfor the accuracy and integrity of consumer report information and access to such information. In\nresponse to concerns raised by consumer advocates, the FACT Act contains many new\nprovisions to combat identity theft, protect privacy, and improve consumer access to, and the\noverall accuracy of, consumer reports. The FACT Act also restricts the use and disclosure of\nsensitive medical information. To bolster efforts to improve financial literacy among consumers,\nTitle V of the Act (entitled, Financial Literacy and Education Improvement Act) creates a new\nFinancial Literacy and Education Commission, of which the FDIC is a member, empowered to\ntake appropriate actions to improve financial literacy and education programs, grants, and\nmaterials of the federal government.\n\nAppendix II contains additional information on the requirements of the GLBA, FCRA, and\nFACT Act.\n\n\nRESULTS OF AUDIT\n\nThe FDIC has established rules and regulations and issued adequate guidance to institutions and\nexaminers for implementing the GLBA Title V provisions related to the privacy and security of\nconsumer information. In doing so, the FDIC has taken sufficient corrective action to address\nprior OIG recommendations associated with the Corporation\xe2\x80\x99s implementation of these\nprovisions. In contrast, the FDIC, jointly or in coordination with the other federal banking\nagencies, National Credit Union Administration (NCUA), and FTC, has not yet issued rules and\nregulations addressing some FACT Act provisions. The lack of final rules and regulations could\nlimit the effectiveness of the FACT Act and reduce assurance that institutions are taking steps to\nprevent identity theft to the extent intended by the Act. The FDIC has mitigated that risk, to\nsome degree, by issuing interim financial institution and examination guidance addressing all of\nthe provisions that require such guidance.\n\n\nFINDING AND RECOMMENDATIONS\n\nFDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING GLBA TITLE V DATA PRIVACY AND\nSECURITY PROVISIONS AND FACT ACT PROVISIONS\n\nThe FDIC has established rules and regulations that appropriately address the GLBA Title V\nprovisions related to the privacy and security of consumer information. In addition, the\nFDIC has provided adequate guidance to FDIC-supervised institutions and established\nadequate examination guidance and procedures to ensure that these institutions meet GLBA\nrequirements. Examination guidance issued in April 2004 includes procedures that adequately\naddress prior OIG recommendations associated with the Corporation\xe2\x80\x99s implementation of\nGLBA privacy provisions.\n\n\n\n                                                 3\n\x0cTen FACT Act provisions require compliance by FDIC-supervised institutions and rulemaking\nby the federal banking agencies and NCUA or FTC. The FDIC, jointly or in coordination with\nthe other federal banking agencies and NCUA, has completed the rulemaking process for two of\nthe seven FACT Act provisions that require rulemaking by the FDIC. The FTC has completed\nrules and regulations for the three provisions for which it has rulemaking responsibility. The Act\ndid not designate a lead agency for the five provisions still lacking rules and regulations.\nTherefore, the FDIC must coordinate with other federal agencies to issue guidance for the five\nprovisions, but meeting timeframes for publishing the regulations has proved to be difficult.6\nThe lack of final rules and regulations that establish implementing requirements could limit the\neffectiveness of the FACT Act provisions, thus reducing assurance that institutions are limiting\nthe potential for identity theft. However, the FDIC has acted to mitigate that risk by issuing\ninterim financial institution and examination guidance to address all of the FACT Act sections\nthat require such guidance.\n\nFDIC Rules and Regulations That Address GLBA Title V Provisions\n\nDuring our 2003 audit of the FDIC\xe2\x80\x99s progress in implementing GLBA Title V, we determined\nthat the FDIC had made reasonable progress in implementing GLBA Title V Subtitle A\xe2\x80\x99s\nprovisions.7 However, federal regulators had not yet finalized the interagency-proposed\nregulations for GLBA Title V Subtitle A, Section 506, Protection of the Fair Credit Reporting\nAct. According to Subtitle A, Section 506(a), the authority of the federal banking agencies to\nconduct routine examinations for compliance with the FCRA was restored, and the federal\nbanking agencies were to jointly prescribe regulations, as necessary, for financial institutions to\ncarry out the purposes of FCRA. Based on the results of our current audit, we determined that\nthe requirements of the provision have been fulfilled.\n\nOn October 26, 2000, the FDIC issued Financial Institution Letter (FIL) 71-2000, Proposed\nRegulations Implementing the Fair Credit Reporting Act. This FIL distributed the proposed rule,\nPart 334, published in the Federal Register (Vol. 65, No. 204). During fieldwork for our 2003\naudit, we found that banking regulators anticipated issuing a new proposed rulemaking for public\ncomments, addressing comments received on the October 2000 proposal. During our current\naudit, we discussed the status of the proposed regulation with FDIC\xe2\x80\x99s Legal Division and were\ninformed that Section 506 of GLBA did not require the development of regulations but that\nregulations were to be prescribed \xe2\x80\x9cas necessary\xe2\x80\x9d to carry out the FCRA. According to DSC, the\nunderlying purpose of the proposed regulation issued in FIL-71-2000 was to provide functional,\nspecific requirements for the provision of an opt out notice as required by the FCRA. The\nrequirement to provide an opt out notice in the FCRA had existed in the statute, without\nregulation, since 1996. The \xe2\x80\x9cas necessary\xe2\x80\x9d approach to Section 506 refers to whether the\nagencies believed a specific instruction regarding the opt out notice was necessary. Ultimately,\nDSC determined that a specific instruction was not necessary because banks would generally\nfollow similar guidance in the privacy regulations (FDIC Rules and Regulations Part 332) that\ncover the FCRA opt out notice. According to DSC, although the GLBA and the FCRA opt out\n6\n  For these five provisions, the FACT Act states that the federal banking agencies, NCUA, and FTC shall either\njointly or in coordination, establish and maintain guidelines, and prescribe regulations. For provisions requiring\ncoordination, the FACT Act states that each agency required to prescribe regulations shall consult and coordinate\nwith each other so that, to the extent possible, the regulations prescribed are consistent and comparable.\n7\n  On September 26, 2003, the OIG issued Audit Report No. 03-044. The objective of the audit was to determine\nwhether the FDIC had made reasonable progress in implementing the GLBA Title V privacy provisions.\n\n\n                                                          4\n\x0cnotice requirements are different and based in different statutory requirements, a bank\xe2\x80\x99s practices\nfor delivering notices and honoring opt outs is almost always structured in the same way.\nTherefore, although GLBA Section 506 requirements are not addressed in a specific regulation,\nunder the FCRA, FDIC-insured institutions are subject to the statutory requirement to provide an\nopt out notice.\n\nFDIC Guidance That Addresses GLBA Title V Provisions\n\nDuring our 2003 audit of the FDIC\xe2\x80\x99s progress in implementing GLBA Title V, we also\nconducted an analysis of the corresponding guidance issued to FDIC-supervised banks and FDIC\nexaminers. At the time of our 2003 audit report, we determined that, on May 9, 2001, the FDIC\nissued FIL-39-2001, Guidance on Identity Theft and Pretext Calling, as a supplement to FDIC\nregulations on customer information security, issued February 1, 2001, pursuant to Section\n501(b) of the GLBA.8 In our 2003 audit report, we stated that the guidance provided steps that\nfinancial institutions should take to safeguard customer information and reduce the risk of loss\nfrom identity theft and pretext calling. However, we also noted that DSC\xe2\x80\x99s examination\nprocedures did not include steps to specifically assess how banks protect customer information\nfrom unauthorized disclosure through identity theft and pretext calling.\n\nOn April 16, 2004, DSC\xe2\x80\x99s Technology Supervision Branch issued Regional Directors\nMemorandum (RDM) 2004-014, Information Technology General Work Program Revision.\nDuring our current audit, we reviewed the RDM and found that it provides examiners adequate\nguidance for assessing how banks protect customer information from unauthorized disclosure to\nreduce the risks of loss related to identity theft and pretext calling.\n\nIn 2005, DSC issued the following additional interpretations and guidance related to establishing\nstandards for safeguarding customer information.\n\n\xc2\xbe FIL-27-2005, Final Guidance on Response Programs - Guidance on Response Programs for\n  Unauthorized Access to Consumer Information and Consumer Notice, dated April 1, 2005,\n  requires financial institutions to develop and implement a response program designed to\n  address incidents of unauthorized access to sensitive consumer information maintained by\n  the financial institution or its service provider.\n\n\xc2\xbe RDM 2005-012, Examination Procedures to Evaluate Response Programs for Unauthorized\n  Access to Consumer Information, dated April 5, 2005, distributes examination procedures to\n  determine compliance with the Interagency Guidance on Response Programs for\n  Unauthorized Access to Consumer Information and Consumer Notice.\n\n8\n  Section 501(b), Disclosure of Nonpublic Personal Information, requires each agency to establish appropriate\nstandards for the financial institutions under their jurisdiction relating to administrative, technical, and physical\nsafeguards. Specifically, the standards are to (1) ensure the security and confidentiality of customer records and\ninformation; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and\n(3) protect against unauthorized access to or use of such records or information that could result in substantial harm\nor inconvenience to any customer. On February 1, 2001, the federal banking regulators issued a final rule under\nFDIC Rules and Regulations Part 364, Standards for Safety and Soundness, Appendix B, Interagency Guidelines\nEstablishing Standards for Safeguarding Customer Information. On August 28, 2001, the FDIC issued Regional\nDirectors Memorandum (RDM) 2001-032, Examination Procedures to Evaluate Customer Information Safeguards,\nto distribute examination procedures to determine compliance with Appendix B to Part 364.\n\n\n                                                          5\n\x0c\xc2\xbe FIL-64-2005, Pharming Guidance on How Financial Institutions Can Protect Against\n  Pharming Attacks, dated July 18, 2005, describes the practice of "pharming," how it occurs,\n  and potential preventive approaches. The guidance states that financial institutions offering\n  Internet banking should assess potential threats posed by pharming attacks and protect\n  Internet domain names, which \xe2\x80\x93 if compromised \xe2\x80\x93 can heighten risks to the institutions.\n\n\xc2\xbe FIL-66-2005, Spyware Guidance on Mitigating Risks From Spyware, dated July 22, 2005,\n  recommends an effective spyware prevention and detection program based on an institution\'s\n  risk profile. The guidance and the attached informational supplement discuss the risks\n  associated with spyware from both a bank\xe2\x80\x99s and consumer\xe2\x80\x99s perspective and provide\n  recommendations to mitigate these risks.\n\n\xc2\xbe FIL-69-2005, Voice Over Internet Protocol Guidance on the Security Risks of VoIP, dated\n  July 27, 2005, addresses the security risks associated with voice over Internet protocol\n  (VoIP).9 VoIP is susceptible to the same security risks as data networks if security policies\n  and configurations are inadequate. To address section 501(b) of GLBA, the guidance states\n  that associated risks should be evaluated as part of a financial institution\'s periodic risk\n  assessment and discussed in status reports submitted to the institution\xe2\x80\x99s board of directors.\n  The guidance provides financial institutions with a detailed summary of the risks associated\n  with VoIP and the available sources to develop VoIP security policies and procedures and\n  recommends best practices. In addition, FIL-69-2005 states that bank management should\n  perform a comprehensive risk assessment to ensure the confidentiality, integrity, and\n  availability of voice communications using VoIP technology.\n\nDuring our current audit, we reviewed DSC\xe2\x80\x99s guidance and found that it provided adequate\nprocedures for both institutions and examiners in ensuring compliance with GLBA, Section 501.\nIn addition, since September 26, 2003, the FDIC has issued several policy documents to banks\nand examiners that address data privacy or data security. Many of the documents are advisory in\nnature or for informational purposes and are not required by GLBA. Appendix III provides a list\nof the policy documents developed by DSC for both FDIC-supervised institutions and FDIC\nexaminers.\n\nFDIC Rules and Regulations That Address FACT Act Provisions\n\nThe FACT Act contains 10 provisions that require compliance by FDIC-supervised institutions\nand rulemaking by the federal banking agencies and the NCUA or FTC. The FDIC, jointly or in\ncoordination with other federal banking agencies and the NCUA, has completed the rulemaking\nprocess for two of the seven FACT Act provisions that require FDIC rulemaking. The FTC has\ncompleted rules and regulations for the three provisions for which it has rulemaking\nresponsibility. The Act did not designate a lead agency for the five provisions still lacking rules\nand regulations, and the FDIC must coordinate with other federal agencies to issue the guidance.\nThe table on the next page summarizes the status of the regulations and guidance related to\nFACT Act provisions affecting FDIC-supervised institutions. Appendix IV describes each title\nand section of the FACT Act.\n\n\n9\n    VoIP refers to the delivery of traditional telephone voice communications over the Internet.\n\n\n                                                            6\n\x0c Status of Regulations and Guidance Issued for FACT Act Provisions Affecting\n FDIC-Supervised Institutions\n                                                Status of FDIC Financial          Status of FDIC\n FACT        Status of Rules and Regulations\n                                                  Institution Guidance          Examiner Guidance\n   Act\n Section    Nothing                           Nothing                       Nothing\n                       Proposed      Final                Interim   Final             Interim    Final\n             Issued                            Issued                        Issued\n    Regulations Required To Be Issued Jointly by the FDIC and Five Other Federal Banking Agencies\n114(e)          \xe2\x88\x9a                                            \xe2\x88\x9a                            \xe2\x88\x9a\n214(a)                     \xe2\x88\x9a                                 \xe2\x88\x9a                            \xe2\x88\x9a\n216                                 \xe2\x88\x9a FDIC                             \xe2\x88\x9a                           \xe2\x88\x9a\n312(a)         \xe2\x88\x9a a                                           \xe2\x88\x9a                            \xe2\x88\x9a\n312(c)         \xe2\x88\x9a a                                           \xe2\x88\x9a                            \xe2\x88\x9a\n315             \xe2\x88\x9a                                            \xe2\x88\x9a                            \xe2\x88\x9a\n411                                 \xe2\x88\x9a FDIC                             \xe2\x88\x9a                  \xe2\x88\x9a\n                  Regulations Required To Be Issued by the Federal Trade Commission\n151(a)                              \xe2\x88\x9a FTC                    \xe2\x88\x9a                            \xe2\x88\x9a\n153                                 \xe2\x88\x9a FTC                    \xe2\x88\x9a                            \xe2\x88\x9a\n213                                 \xe2\x88\x9a FTC                    \xe2\x88\x9a                            \xe2\x88\x9a\n                                                                             b\n                         Self-Executing Provisions Not Requiring Regulations\n112                                                          \xe2\x88\x9a                            \xe2\x88\x9a\n152                                                          \xe2\x88\x9a                            \xe2\x88\x9a\n154(a)                                                       \xe2\x88\x9a                            \xe2\x88\x9a\n212                                                          \xe2\x88\x9a                            \xe2\x88\x9a\n\n Source: FDIC Legal Division\xe2\x80\x99s FACT Act Status Report and various FILs and RDMs.\n a\n   On February 10, 2006, the FDIC Board of Directors approved the Interagency Advance Notice of Proposed\n   Rulemaking Regarding the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies\n   under the Fair and Accurate Credit Transactions Act of 2003.\n b\n   Self-executing provisions are FACT Act provisions that do not require rulemaking by the federal banking\n   agencies but require financial institution compliance.\n\n As of the time of our audit fieldwork, the FDIC, in coordination with the other regulators, had\n issued final rules in reference to two FACT Act provisions:\n\n     \xc2\xbe Section 216, Disposal of Consumer Report Information and Records, and\n     \xc2\xbe Section 411, Protection of Medical Information in the Financial System.\n\n In addition, the FTC has issued final rules in reference to three FACT Act provisions for which\n the FDIC does not have explicit authority to publish rules but which require FDIC-supervised\n institutions\xe2\x80\x99 compliance:\n\n     \xc2\xbe Section 151(a), Summary of Rights of Identity Theft Victims;\n     \xc2\xbe Section 153, Coordination of Identity Theft Complaint Investigations; and\n     \xc2\xbe Section 213, Enhanced Disclosure of the Means Available to Opt Out of Prescreened\n       Lists.\n\n The rulemaking process either has not started or has not been completed for the remaining five\n provisions, which require that the federal banking agencies coordinate to issue regulations.\n According to sections 114(e), 312(c), and 315 of the FACT Act, the federal banking regulators,\n NCUA, and FTC shall jointly prescribe regulations with respect to the entities that are subject to\n\n\n\n                                                       7\n\x0ctheir respective enforcement authority. For other rulemaking sections (214(a) and 312(a)) the\nlaw states that the federal banking agencies, NCUA, and FTC, in coordination, shall prescribe\nregulations with respect to the entities that are subject to their respective enforcement authority.\nThe FDIC\xe2\x80\x99s Legal Division informed us that the agencies had agreed on timelines to ensure the\ntimely publication of final rules when the FACT Act was enacted but found it difficult to meet\nthe timelines. DSC\xe2\x80\x99s efforts to issue regulations related to the FACT Act are, to a great degree,\ndependent upon other entities and DSC\xe2\x80\x99s participation in joint rulemaking committees.\n\nJoint Guidance\n\nAs discussed earlier, the FDIC has issued final rules related to two FACT Act provisions. DSC\nhas issued final guidance to institutions and examiners, addressing one of those provisions,\nSection 216, Disposal of Consumer Report Information and Records. We found that the\nguidance provides adequate procedures related to complying with requirements of the disposal of\nconsumer information. For the other provision, we also found that DSC has issued final\nguidance (in the form of a FIL transmitting the regulation) to institutions, but not examiners,\naddressing Section 411, Protection of Medical Information in the Financial System. We found\nthat the guidance provides FDIC-supervised institutions adequate procedures related to\ncomplying with requirements on the use of medical information in determining credit eligibility.\n\nOn December 28, 2004, the FDIC issued final rules to implement FACT Act Section 216,\nDisposal of Consumer Report Information and Records. To address the regulation, the FDIC\nissued FIL-07-2005 entitled, Fair and Accurate Credit Transactions Act of 2003 Guidelines\nRequiring the Proper Disposal of Consumer Information, dated February 2, 2005. According to\nthe FIL, Section 216 is designed to protect consumers against the risks associated with identity\ntheft and other types of fraud and requires a financial institution that maintains or otherwise\npossesses consumer information derived from consumer reports to properly dispose of it. Under\nthe final rule, the agencies amended their Guidelines Establishing Standards for Safeguarding\nCustomer Information (renamed Interagency Guidelines Establishing Information Security\nStandards).\n\nWe reviewed the revised guidance and found it to be adequate to address FACT Act Section 216\nin that the guidelines require each financial institution (1) to develop and maintain, as part of its\ninformation security program, appropriate controls designed to ensure that it properly disposes of\n\xe2\x80\x9cconsumer information\xe2\x80\x9d derived from a consumer report in a manner consistent with the\nfinancial institution\xe2\x80\x99s existing obligation under the guidelines and (2) to assess the risks to the\ninstitution\xe2\x80\x99s consumer information as well as customer information by evaluating security\nmeasures to control the risks.\n\nOn November 22, 2005, the FDIC issued a final rule (12 Code of Federal Regulations (C.F.R.)\nPart 334) to address FACT Act Section 411, Protection of Medical Information in the Financial\nSystem. To address the regulation, the FDIC issued FIL-121-2005 entitled, Fair Credit\nReporting \xe2\x80\x93 Medical Information Final Rules, dated December 8, 2005. We reviewed the\nguidance and found it to be adequate to address FACT Act Section 411 in that the guidelines\nprohibit institutions from obtaining and using medical information in determining credit\neligibility, except as permitted by the financial institution regulatory agencies. In addition, the\nFIL identifies exceptions that will allow institutions to obtain and use medical information in\nappropriate circumstances. However, DSC has not yet issued final examination guidance related\n\n\n                                                  8\n\x0cto this provision of the FACT Act. The effective date for FDIC-supervised institutions to\ncomply with the rule is April 1, 2006. According to DSC, this area will be addressed in an\namendment to the FCRA examination procedures before the April 1, 2006, effective date.\n\nFTC Regulations Required\n\nDuring this audit, we identified three sections of the FACT Act for which the FTC was given\nauthority to publish rules that require compliance by FDIC-supervised institutions. The federal\nbanking agencies and the NCUA were consulted by the FTC in issuing these final rules.\n\n     \xc2\xbe Section 151(a) of the FACT Act requires the development of a Summary of Rights of\n       Identity Theft Victims. According to DSC, FDIC-supervised banks will use the model\n       summary of rights notice when necessary. In this area, a CRA must provide the notice to\n       consumers who have alerted the CRA that they may be a victim of identity theft.\n       According to DSC, currently, none of the FDIC-supervised institutions are considered to\n       be CRAs. Section 151 also addresses providing information about transactions or\n       accounts that may be the result of identity theft to victims and/or law enforcement. There\n       is no requirement for the FDIC to promulgate regulations for Section 151, and the FDIC\n       was not given any explicit authority to do so. DSC provided guidance to examiners in\n       the Interim Compliance Examiner Job-Aid attached to RDM 2004-055, Fair and\n       Accurate Credit Transactions Act of 2003 \xe2\x80\x93 Effective Dates, dated November 29, 2004.\n\n     \xc2\xbe Section 153 of the FACT Act requires nationwide CRAs to develop and maintain\n       procedures to inform one another when an identity theft complaint is received.\n       According to DSC, the FDIC currently does not supervise any financial institutions that\n       are considered to be nationwide CRAs; therefore, there is no need for final guidance for\n       this section.\n\n     \xc2\xbe Section 213 of the FACT Act requires FDIC-supervised institutions to provide pre-\n       screened consumer report notices and to use the FTC\xe2\x80\x99s form for this purpose. The\n       specific requirements became effective for financial institutions on August 1, 2005.\n       According to DSC, at that time, the FDIC was leading a working group under the Federal\n       Financial Institutions Examination Council (FFIEC)10 Consumer Compliance Task Force\n       to re-write all of the FCRA examination procedures to include the FACT Act\n       amendments. The FTC\xe2\x80\x99s rules to implement Section 213 were part of this project. The\n       procedures were approved by the FFIEC in September 2005, and DSC plans to\n       communicate them to all FDIC offices using an RDM.\n\nSelf-executing Provisions\n\nDuring this audit, we noted that the FACT Act includes some provisions that do not require\nrulemaking by the federal banking agencies but do require financial institution compliance:\n\n\n10\n   The FFIEC, established in March 1979, is a formal interagency body empowered to prescribe uniform principles,\nstandards, and report forms for the federal examination of financial institutions by the Board of Governors of the\nFederal Reserve System (FRB), the FDIC, NCUA, Office of the Comptroller of the Currency, and Office of Thrift\nSupervision and to make recommendations to promote uniformity in the supervision of financial institutions.\n\n\n                                                        9\n\x0c   \xc2\xbe   Section 112, Fraud and Active Duty Alerts;\n   \xc2\xbe   Section 152, Blocking of Information Resulting from Identity Theft;\n   \xc2\xbe   Section 154(a)-(b), Prevention of Repollution of Consumer Reports; and\n   \xc2\xbe   Section 212(c), Disclosure of Credit Scores.\n\nThe FDIC informed its supervised institutions of the effective dates related to these self-\nexecuting provisions through FIL-130-2004, Fair and Accurate Credit Transactions Act of\n2003 - Effective Dates, dated December 13, 2004. According to the FIL, these provisions were\neffective December 1, 2004. With regard to the provisions that do not require implementing\nregulations, the FDIC expects covered entities to begin to comply by the dates contained in the\nFACT Act or by the effective dates jointly set by the FTC and FRB. The FTC and FRB\npublished these dates in a rulemaking in February 2004. In addition, DSC issued RDM\n2005-055 Fair and Accurate Credit Transactions Act of 2003 \xe2\x80\x93 Effective Dates, dated\nNovember 29, 2004, to explain the effective dates for the FACT Act. RDM 2005-055 has an\nattached supplement, Interim Job-Aid, which contains guidance for examiners in reviewing\ninstitution compliance with the self-executing requirements. Also, as noted earlier, the FDIC led\na working group to re-write all of the FCRA examination procedures to include the FACT Act\namendments. The revised procedures were approved by the FFIEC in September 2005, and\ncopies of the procedures were provided to examiners during training sessions in all regions;\nhowever, the official FIL and RDM are still pending.\n\n\nCONCLUSION\n\nConsumers have become increasingly concerned about the privacy of their personal information,\nand adequate protection of that information is an important element of public trust and\nconfidence in depository financial institutions. With the rapid growth of electronic commerce,\nand the increased collection of diverse pieces of consumer personal information, the potential for\nuse of the information in ways unwanted by consumers is a growing risk to financial institutions.\nTo address this risk, the Congress passed both GLBA and the FACT Act to improve data\nsecurity and expand safeguards over the confidentiality of consumer information. The\neffectiveness of those laws is dependent upon regulatory agencies, including the FDIC, to issue\nappropriate guidance. In that regard, the FDIC has been successful in addressing all of the\nGLBA Title V provisions related to the security and privacy of consumer information and\nimplementing our prior recommendations in this area. However, the FDIC needs to finalize\nexaminer guidance related to provisions of the FACT Act that were self-executing and for which\nFTC issued regulations. The Corporation also needs to work with the other federal banking\nagencies to issue final rules and regulations addressing FACT Act provisions that required they\nbe issued jointly by the agencies. Until such time that these efforts are completed, there is less\nassurance that the increased protection of consumer information intended by the two laws is, in\nfact, occurring.\n\n\n\n\n                                               10\n\x0cRECOMMENDATIONS\n\nWe recommend the Director, DSC:\n\n(1) Finalize interim examination guidance that addresses FACT Act provisions for which final\n    rules and regulations have been issued or that are self-executing.\n\n(2) Develop, in coordination with the joint-agency rulemaking committee, a more aggressive\n    project management plan that will expedite the issuance of final rules and regulations for all\n    FACT Act provisions.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn February 15, 2006, the Acting Director, DSC, provided a written response to the draft report.\nThe response is presented in its entirety in Appendix V of this report. DSC concurred with the\nintent of both recommendations.\n\nRegarding recommendation 1, the written response states that DSC is in the process of\ndeveloping and issuing examination guidance that addresses FACT Act provisions for which\nfinal rules and regulations have been issued or that are self-executing. For areas covered by\ncompliance examinations, procedures that include the self-executing FACT Act provisions have\nbeen approved by the FFIEC Consumer Compliance Task Force and are being formally\ndistributed to both examiners and the industry through an RDM and a FIL.\n\nFor recommendation 2, DSC stated that the FDIC is actively participating in and is committed to\nexpediting the process to issue final rules and regulations for all FACT Act provisions. DSC is\ncommitted to expediting the interagency process and, as a member of the separate working groups\nresponsible for drafting each set of rules or guidelines, the FDIC has consistently made efforts to\nmove the process forward and will continue to promote expedited processes during 2006.\n\nOIG Evaluation: Management\xe2\x80\x99s planned actions are responsive to the recommendations. The\nrecommendations are resolved but will remain open until we have determined that the agreed-to\ncorrective actions have been completed and are effective. Appendix VI contains a summary of\nmanagement\xe2\x80\x99s response to the recommendations and the status of the recommendations as of the\ndate of this report. Also, on February 21, 2006, the FDIC issued final financial institution and\nexaminer guidance related to the self-executing provision of the FACT Act. We will review the\nguidance to assess whether it addresses our recommendation.\n\n\n\n\n                                                11\n\x0c                                                                                APPENDIX I\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of this audit was to determine whether DSC has:\n\n\xc2\xbe provided adequate institution and examination guidance for implementing the data privacy\n  and security provisions of the GLBA Title V and the FACT Act; and\n\xc2\xbe implemented the recommendations contained in OIG Audit Report No. 03-044, The Federal\n  Deposit Insurance Corporation\xe2\x80\x99s Progress in Implementing the Gramm-Leach-Bliley Act,\n  Title V - Privacy Provisions, dated September 26, 2003.\n\nWe performed our audit from September 2005 through December 2005 in accordance with\ngenerally accepted government auditing standards.\n\nScope and Methodology\n\nThe scope of the audit included consumer privacy and data security requirements for FDIC-\nsupervised institutions enacted under GLBA Title V, FCRA, and the FACT Act since we issued\nAudit Report No. 03-044 in September 2003. Details on that report are provided later in this\nappendix. The objective of the 2003 audit was to determine whether DSC had made reasonable\nprogress in implementing Title V privacy provisions of the GLBA and had addressed both\nSubtitle A \xe2\x80\x93 Disclosure of Nonpublic Personal Information and Subtitle B \xe2\x80\x93 Fraudulent Access\nto Financial Information.\n\nFor the current audit, our assessment of the FDIC\xe2\x80\x99s progress was based on an analysis of the\nCorporation\xe2\x80\x99s and DSC\xe2\x80\x99s efforts to establish regulations, issue implementing guidelines to\nfinancial institutions, and develop and implement procedures to examine financial institution\ncompliance with GLBA Title V, FCRA, and FACT Act provisions. In addition, we followed up\non the status of the recommendations in Audit Report No. 03-044.\n\nSpecifically, we:\n\n\xc2\xbe reviewed applicable laws and statutes related to consumer data privacy and security at FDIC-\n  supervised institutions;\n\xc2\xbe reviewed applicable FDIC rules and regulations, DSC procedure manuals, RDMs and FILs,\n  and DSC Internal Review reports; and\n\xc2\xbe interviewed key Legal Division personnel, DSC personnel, and senior management to obtain\n  general information on privacy-related requirements and examinations.\n\nWe conducted our audit work at the FDIC\xe2\x80\x99s Washington, D.C., Headquarters office.\n\n\n\n\n                                              12\n\x0c                                                                                               APPENDIX I\n\n\nCompliance With Pertinent Laws and Regulations\n\nThis audit addressed both GLBA Title V and FACT Act Titles I, II, III, and IV related to the\nprotection and privacy of consumer information. The GLBA Title V provisions govern financial\ninstitution treatment of consumers\xe2\x80\x99 nonpublic personal information. The FACT Act amended\nthe FCRA and governs the content of consumer reports and restrictions on access. The Results\nof Audit section of this report summarizes the FDIC\xe2\x80\x99s compliance with the applicable GLBA and\nFACT Act provisions, and details are provided in the findings.\n\nReliance on Computer-based Data, Government Performance and Results Act, Fraud and\nIllegal Acts, and Internal Control\n\nValidity and Reliability of Data from Computer-based Systems\n\nDuring this audit, we did not rely on data from computer-based systems. Our assessment of the\nFDIC\xe2\x80\x99s efforts to establish regulations, issue implementing guidelines to financial institutions,\nand develop and implement procedures to examine financial institutions\xe2\x80\x99 compliance was based\non interviews with FDIC staff and reviews of applicable documents.\n\nPerformance Measures\n\nIn fulfilling its primary supervisory responsibilities, the FDIC pursues two strategic goals:\n\n\xc2\xbe FDIC-supervised institutions are safe and sound, and\n\xc2\xbe FDIC-supervised institutions invest in their communities,11 and consumers\xe2\x80\x99 rights are\n  protected.\n\nTwo strategic objectives support the consumer rights strategic goal. The first strategic objective\nis that consumers have access to easily understood information about their rights and the\ndisclosures due them under consumer protection and fair lending laws.12 The FDIC\xe2\x80\x99s annual\nperformance goals related to this objective are:\n\n\xc2\xbe Provide effective outreach and technical assistance on topics related to the CRA, fair lending,\n  and community development.\n\xc2\xbe Meet the statutory mandate to investigate and respond to consumer complaints about FDIC-\n  supervised financial institutions.\n\nThe second strategic objective is that FDIC-supervised institutions comply with consumer\nprotection, CRA, and fair lending laws. The FDIC\xe2\x80\x99s annual performance goals related to this\nobjective follow.\n\n\n11\n  The goals are stated in the FDIC 2005-2010 Strategic Plan and the FDIC 2005 Annual Performance Plan.\n12\n  The FDIC periodically publishes Consumer Alerts on its Web site to provide consumers information on emerging\nand continuing issues, including fraudulent efforts to obtain consumer information and on new laws that provide\nconsumers with new opportunities or protections. The most recent Consumer Alerts topics include phishing scams,\nidentity theft, and the Check Clearing for the 21st Century Act, FACT Act, and GLBA.\n\n\n                                                      13\n\x0c                                                                                     APPENDIX I\n\n\n\xc2\xbe Conduct CRA and compliance examinations in accordance with the FDIC\xe2\x80\x99s examination\n  frequency policy.\n\n\xc2\xbe Take prompt and effective supervisory action to monitor and address problems identified\n  during compliance examinations of FDIC-supervised institutions that receive a 4 or 5 rating\n  for compliance with consumer protection and fair lending laws.\n\nWe limited our scope to the issuance of regulations and guidance related to the GLBA and FACT\nAct and did not review DSC\xe2\x80\x99s examination assessment of compliance.\n\nFraud and Illegal Acts\n\nThe objective of this audit did not lend itself to specific steps for providing reasonable assurance\nof detecting fraud or illegal acts. Although we were alert to the potential for such activity, we\ndid not identify any illegal acts or abuse or potential areas susceptible to illegal acts or abuse.\n\nInternal Controls Reviewed\n\nDuring the audit, we reviewed DSC\xe2\x80\x99s guidance related to compliance and IT examinations at\nFDIC-supervised institutions. For compliance examinations, we also identified the systems used\nfor measuring and monitoring program performance and compliance with laws and regulations\nand policies and procedures. We reviewed this information to gain an understanding of the\napplicable control environment.\n\nSummary of Prior Audit Coverage\n\nOn September 23, 2005, the OIG issued Audit Report No. 05-038, Division of Supervision and\nConsumer Protection\xe2\x80\x99s Risk-focused Compliance Examination Process. The overall objective of\nthis audit was to determine whether DSC\xe2\x80\x99s risk-focused compliance examination process results\nin examinations that are adequately planned and effective in assessing financial institution\ncompliance with consumer protection laws and regulations. Specifically, we determined whether\nDSC examiners were adequately risk-scoping compliance examinations and conducting\nappropriate levels of transaction testing and making sound risk-scoping decisions when relying\non the work of the financial institutions\xe2\x80\x99 internal or external compliance review functions. We\nfound that DSC examiners generally complied with the policies and procedures related to risk-\nscoping compliance examinations and that the Risk Profile and Scoping Memorandums prepared\nby examiners provided an adequate basis for planned examination coverage. However, we found\nthat examination documentation did not always show the transaction testing or spot checks\nconducted during the on-site portion of the examinations, including testing to ensure the\nreliability of the institutions\xe2\x80\x99 compliance review functions. Examiners also did not always\ndocument whether the examination reviewed all the compliance areas in the planned scope of\nreview. The report recommended that DSC clarify and reinforce requirements that examiners\nadequately document the scope of the work performed, including transaction testing and spot\nchecks of the reliability of the institutions\xe2\x80\x99 compliance review functions, during the on-site\nportions of compliance examinations. DSC management agreed with the recommendation and\nhas taken corrective action.\n\n\n\n                                                 14\n\x0c                                                                                  APPENDIX I\n\n\nOn June 15, 2004, the OIG issued Audit Report No. 04-022, FDIC\xe2\x80\x99s Information Technology\nExamination Program. The objective of this audit was to determine whether the FDIC\xe2\x80\x99s IT\nexaminations provide reasonable assurance that IT risks are being addressed by the risk\nmanagement programs in FDIC-supervised financial institutions. We concluded that the FDIC\xe2\x80\x99s\nIT examination program provides reasonable assurance that IT risks are being addressed by risk\nmanagement programs in FDIC-supervised financial institutions. We did, however, identify\nopportunities for improving the quality of the IT examination process. Specifically, DSC did not\nhave a review process in place to determine whether appropriate examination procedures are\napplied and that findings and conclusions are adequately supported. DSC has a quality review\nprocess in place for its safety and soundness examinations but generally had not conducted\nsimilar quality reviews for IT examinations. We recommended that DSC institute a standardized\nquality review of all phases of the IT examination process and supporting documentation prior to\nissuance of IT examination results. DSC\xe2\x80\x99s comments on the audit report were responsive, and\nDSC\xe2\x80\x99s proposed actions were sufficient to resolve each recommendation.\n\nOn September 26, 2003, the OIG issued Audit Report No. 03-044, The Federal Deposit\nInsurance Corporation\xe2\x80\x99s Progress in Implementing the Gramm-Leach-Bliley Act, Title V -\nPrivacy Provisions. Overall, we found that the FDIC had made reasonable progress in\nimplementing GLBA Title V provisions related to safeguarding consumer information and\nprivacy notice requirements and modest progress in implementing provisions related to\nfraudulent access to financial information. As a result, we recommended that DSC (1) identify\nspecific procedures in its examination work programs for examiners to assess the financial\ninstitutions\xe2\x80\x99 compliance with guidance on protecting consumer information against identity theft;\n(2) identify the specific procedures in the IT General Work Program that are designed to assess\ncompliance with the safeguarding standards; and (3) standardize guidance related to reporting the\nresults of evaluating a financial institution\xe2\x80\x99s compliance with the standards for safeguarding\nconsumer information. DSC\xe2\x80\x99s comments on the report were responsive, and DSC\xe2\x80\x99s proposed\nactions were sufficient to resolve each recommendation.\n\nTo date, there have been no OIG audits conducted that relate specifically to the FCRA or the\nFACT Act.\n\n\n\n\n                                               15\n\x0c                                                                                                    APPENDIX II\n\n\n                            SUMMARY OF LAWS AND REGULATIONS\n\nGramm-Leach-Bliley Act of 1999 (GLBA)\n\nThe GLBA requires federal regulators to issue rules to financial institutions, establishing\nstandards for ensuring the security and privacy of consumer information. The GLBA Title V,\nPrivacy, includes two subtitles \xe2\x80\x93 A and B. Subtitle A provides a mechanism to protect the\nconfidentiality of a consumer\xe2\x80\x99s nonpublic personal information. Subtitle B prohibits \xe2\x80\x9cpretext\ncalling,\xe2\x80\x9d which is a deceptive practice used to obtain information on the financial assets of\nconsumers. Criminal penalties and regulatory and administrative enforcement mechanisms were\nestablished to help prevent this practice. Title V of GLBA also requires agencies to strengthen\nprohibitions on identity theft and requires a federal study on information sharing among financial\ninstitutions and their affiliates.13 Included are prohibitions on disclosing consumer account\nnumbers to nonaffiliated third parties for use in telemarketing, direct mail marketing, or other\nmarketing through electronic mail.\n\nOn June 1, 2000, the four federal bank and thrift regulators published substantively identical\nregulations that implemented provisions of the GLBA governing the privacy of consumer\nfinancial information. The FDIC established Part 332, Privacy of Consumer Financial\nInformation,14 which establishes the duties of a financial institution to provide particular notices\nand limitations on its disclosure of nonpublic personal information. Furthermore, each\ninstitution must provide notices of its privacy policies to its customers. Under this regulation,\nfinancial institutions are required to disclose, initially when a customer relationship is established\nand annually, thereafter, their privacy policies, including policies on sharing information with\naffiliates and nonaffiliated third parties. The privacy regulations became effective on\nNovember 13, 2000. Compliance was required as of July 1, 2001.\n\nFair Credit Reporting Act of 1968 (FCRA)\n\nThe FCRA establishes standards for the collection and permissible purposes for dissemination of\ndata by CRAs. The primary purpose of the FCRA is to regulate the nationwide consumer\nreporting system to help ensure the accuracy and security of consumer reports. The FCRA\ncontains substantive requirements for CRAs. The requirements can be applicable to banks that\nengage in information-sharing practices that constitute the communication of consumer reports.\nSpecifically, the FCRA prescribes standards that address information collected by businesses that\nprovide information used to determine consumer eligibility for credit, insurance, or employment.\nFCRA imposes requirements for accuracy, limits purposes for which such information may be\ndisseminated, allows certain rights for consumer access, and includes civil and criminal penalties\nfor its violations.\n\n\n\n13\n   Under Subtitle A, the term \xe2\x80\x9caffiliate\xe2\x80\x9d means any company that controls, is controlled by, or is under common\ncontrol with another company.\n14\n   Part 332 applies to financial institutions for which the FDIC has primary supervisory authority, including state-\ncharted institutions that are not members of the Federal Reserve System, insured state branches of foreign banks,\nand certain subsidiaries of such entities.\n\n\n                                                          16\n\x0c                                                                                   APPENDIX II\n\n\nThe FCRA was amended in 1996 to allow financial institutions to share information other than\ntheir own transactions and experiences, but only with their affiliates. The GLBA made\nadditional changes, including provisions removing the prohibition against conducting routine\nFCRA examinations and permitting regulations to be adopted to implement FCRA requirements.\nThe purposes of the FCRA, as amended, include the following:\n\n\xc2\xbe   to regulate aspects of the consumer reporting industry,\n\xc2\xbe   to place disclosure obligations on users of consumer reports,\n\xc2\xbe   to establish requirements applicable to the furnishing of information to CRAs, and\n\xc2\xbe   to require timely responses to consumer inquiries regarding information maintained by\n    CRAs.\n\nThe FCRA was amended again in 2003 by the FACT Act, which created many new\nresponsibilities designed to address the growing problem of identity theft.\n\nFair and Accurate Credit Transactions Act of 2003 (FACT Act)\n\nThe FACT Act preserves uniform national standards for the content of consumer report\ninformation and consumer access to such information and restricts the use and disclosure of\nsensitive medical information. The FACT Act provisions apply primarily to banks and CRAs.\nSome of the FACT Act provisions contain deadlines for establishing regulations, while others do\nnot. In addition, the FACT Act contains a number of self-executing provisions that require bank\ncompliance. The first three sections of the FACT Act address the title of the act, definitions, and\neffective dates. The remainder of the FACT Act contains the following titles:\n\n\xc2\xbe Title I: Identity Theft Prevention and Credit History Restoration \xe2\x80\x93 focuses on the\n  responsibilities of institutions and CRAs to prevent identity theft and to help consumers\n  remedy the effects when such a theft occurs.\n\xc2\xbe Title II: Improvements in Use of and Consumer Access to Credit Information \xe2\x80\x93 creates new\n  rights for consumers with regard to accessing and limiting the use of their personal\n  information.\n\xc2\xbe Title III: Enhancing the Accuracy of Consumer Report Information \xe2\x80\x93 addresses the issue of\n  inaccurate credit reports, with main requirements addressing improvements in the reporting\n  process as well as new disclosures designed to help consumers understand the role of their\n  credit scores in underwriting and pricing decisions.\n\xc2\xbe Title IV: Limiting the Use and Sharing of Medical Information in the Financial System \xe2\x80\x93\n  prohibits banks from obtaining or using medical information about a consumer for\n  determining eligibility for credit.\n\xc2\xbe Title V: Financial Literacy and Education Improvement \xe2\x80\x93 requires that several federal\n  government agencies, including the federal banking agencies, form a financial literacy\n  commission charged with developing and implementing strategies for improving financial\n  literacy among the American public.\n\xc2\xbe Title VI: Protecting Employee Misconduct Investigations \xe2\x80\x93 requires that certain\n  communications from employee investigations be excluded from the definition of consumer\n  reports.\n\n\n\n\n                                                17\n\x0c                                                                                      APPENDIX II\n\n\n\xc2\xbe Title VII: Relation to State Laws \xe2\x80\x93 addresses the FACT Act\xe2\x80\x99s impact on state laws.\n\xc2\xbe Title VIII: Miscellaneous \xe2\x80\x93 addresses clerical amendments to the FACT Act.\n\nThe FACT Act contains new responsibilities for CRAs, financial institutions, and other users of\nconsumer reports and provides many new consumer rights and protections. The FDIC and other\nfederal agencies are responsible for implementing rules and conducting studies in regard to these\nissues. These issues impact both the compliance and risk management aspects of a financial\ninstitution\xe2\x80\x99s operations.\n\nTwo new restrictions under the FACT Act deal directly with consumer information privacy and\nfinancial institutions. First, pursuant to Title IV, Section 411, creditors are prohibited in general\nfrom obtaining or using a consumer\xe2\x80\x99s medical information in connection with any determination\nof the consumer\xe2\x80\x99s eligibility or continued eligibility for credit. The effective date for\nSection 411 is June 3, 2004. On November 8, 2005, the FDIC\xe2\x80\x99s Board of Directors voted to\nadopt a final rule on this provision effective April 1, 2006.\n\nThe second new restriction addresses the use of information obtained from affiliates. Title II of\nthe FACT Act prohibits an entity from using information obtained from an affiliate to market its\nproducts or services, unless the consumer is given the opportunity to opt out first. This\nprohibition does not impact a bank\xe2\x80\x99s ability to share information; rather, the restriction limits the\naffiliates\xe2\x80\x99 use of the information. Title II, Section 214, requires that regulations be issued in final\nform by September 4, 2004, with an effective date of March 4, 2005. The FDIC issued a\nproposed regulation on July 15, 2004.\n\n\n\n\n                                                  18\n\x0c                                                                                         APPENDIX III\n\n\n                           VARIOUS FDIC ISSUANCES RELATED TO\n                                GLBA AND THE FACT ACT\n\n\n                                    GRAMM-LEACH\xe2\x80\x93BLILEY ACT\n\nDOCUMENT\n                                               TITLE                                           DATE\n  NUMBER\nFIL-83-2003      FFEIC Information Technology Examination Handbook: New                 October 27, 2003\n                 Guidance for Examiners, Financial Institutions and Technology\n                 Service Providers on Electronic Banking, Information Technology\n                 (IT) Audits, and the FedLine Electronic Funds Transfer Application\nRDM-2004-002     Report Treatment of Compliance with the Interagency Guidelines         January 29, 2004\n                 Establishing Standards for Safeguarding Consumer Information\nFIL-27-2004      Guidance on Safeguarding Consumers Against E-Mail and Internet-        March 12, 2004\n                 Related Fraudulent Schemes\nFIL-84-2004      Guidance on Instant Messaging: Guidance on the Risks Associated        July 21, 2004\n                 with Instant Messaging\nFIL-103-2004     Internet Banking Fraud: Interagency Informational Brochure on          September 13, 2004\n                 Internet \xe2\x80\x9cPhishing\xe2\x80\x9d Scams\nFIL-132-2004     Identify Theft: Study on \xe2\x80\x9cAccount-Hijacking\xe2\x80\x9d Identity Theft and        December 14, 2004\n                 Suggestions for Reducing Online Fraud\nFIL-59-2005      Identity Theft Study Supplement on \xe2\x80\x9cAccount-Hijacking\xe2\x80\x9d Identity        July 5, 2005\n                 Theft\nFIL-64-2005      \xe2\x80\x9cPharming\xe2\x80\x9d: Guidance on How Financial Institutions Can Protect         July 18, 2005\n                 Against Pharming Attacks\nFIL-66-2005      Spyware Guidance on Mitigating Risks From Spyware                      July 22, 2005\nFIL-103-2005     FFEIC Guidance: Authentication in an Internet Banking                  October 12, 2005\n                 Environment\nPress Release    Federal Bank and Thrift Regulatory Agencies Publish Guide to Help      December 14, 2005\n127-2005         Financial Institutions Comply with Information Security Guidelines\n\n                      FAIR AND ACCURATE CREDIT TRANSACTIONS ACT\n\nDOCUMENT\n                                               TITLE                                           DATE\n  NUMBER\nFIL-47-2004      Medical Privacy Regulations Under the Fair and Accurate Credit         April 28, 2004\n                 Transactions Act of 2003: Notice of Proposed Rulemaking\n                 Regarding Medical Privacy (Part 334 of the FDIC\xe2\x80\x99s Rules and\n                 Regulations)\nFIL-73-2004      Disposal of Consumer Information: Notice of Proposed Rulemaking        June 17, 2004\n                 on Disposal of Consumer Information\nFIL-82-2004      Affiliate Marketing Opt Out Regulations: Notice of Proposed            July 15, 2004\n                 Rulemaking Regarding Affiliate Marketing Opt Outs (Part 334 of the\n                 FDIC\xe2\x80\x99s Rules and Regulations)\nRDM-2004-055     Fair and Accurate Credit Transactions Act of 2003 \xe2\x80\x93 Effective Dates    November 29, 2004\nFIL-130-2004     Fair and Accurate Credit Transactions Act Effective Dates              December 13, 2004\n      Source: FDIC Legal Division\xe2\x80\x99s FACT Act Status Report and various FILs and RDMs.\n\n\n\n\n                                                    19\n\x0c                                                                                                                          APPENDIX IV\n\n\n                                        CROSSWALK OF FACT ACT PROVISIONS\n                              TO FDIC RULES AND REGULATIONS AND RELATED GUIDANCE\n\nFACT Act Section                                                                        Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                  DSC Examination Procedures\n   Heading                                                                                   (OIG Comments Are in Bold)\nSection 1: Short Title and Table of Contents\n\nSection 2: Definitions\n\nSection 3: Effective Dates\n\n                         TITLE I \xe2\x80\x93 IDENTITY THEFT PREVENTION AND CREDIT HISTORY RESTORATION\nSubtitle A \xe2\x80\x93 Identity Theft Prevention\n111. Amendment to Definitions\nSection 111        The FDIC is not required to issue regulations. The Federal Amends Section 603 of FCRA (re: definitions) by adding\n                   Trade Commission (FTC) may issue regulations to define definitions to include, but not limited to \xe2\x80\x9cfraud alert,\xe2\x80\x9d \xe2\x80\x9cidentity\n                   \xe2\x80\x9cidentity theft.\xe2\x80\x9d                                          theft,\xe2\x80\x9d \xe2\x80\x9cidentity theft report,\xe2\x80\x9d and \xe2\x80\x9cfederal banking agency.\xe2\x80\x9d\n\n112. Fraud Alerts and Active Duty Alerts\nSection 112        The FDIC is not required to issue regulations. FTC issued RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                   regulations on November 3, 2004.                          2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                             requirements of this provision and includes a procedure to be\n                                                                             performed in compliance examinations beginning after\n                                                                             December 1, 2004.\n\n                                                                             FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                             Dates, dated December 13, 2004, provides an effective date of\n                                                                             December 1, 2004 for this self-executing provision.\n\n\n\n\n                                                                     20\n\x0c                                                                                                                             APPENDIX IV\n\n\nFACT Act Section                                                                         Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                   DSC Examination Procedures\n   Heading                                                                                    (OIG Comments Are in Bold)\n113. Truncation of Credit and Debit Card Account Numbers\nSection 113        The FDIC is not required to issue regulations.            Amends FCRA Section 605 by adding Subsection (g), which\n                                                                             includes effective-date provisions.\n\n                                                                             RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                             2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                             requirements of this provision and includes procedures to be\n                                                                             performed in compliance examinations beginning after\n                                                                             December 1, 2004. The RDM also provides additional effective\n                                                                             dates for Automated Teller Machines and Point of Sale terminals.\n\n114. Procedures for Identification of Possible Instances of Identity Theft\nSection 114        The federal banking regulators, National Credit Union     Amends FCRA Section 615 by replacing Subsection (e).\n                   Administration (NCUA), and FTC are required to issue      Regulations are to address financial institutions, creditors,\n                   regulations jointly. There is no statutory due date for   and/or card issuers.\n                   issuing regulations.\n                                                                             RDM-04-055, Fair and Accurate Credit Transactions Act of 2003-\n                                                                             Effective Dates, dated November 29, 2004, reiterates the\n                                                                             requirements of this provision and states that this provision will be\n                                                                             reviewed during IT examinations once final regulations are issued.\n\n                                                                             FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                             Dates, dated December 13, 2004, states that the effective date for\n                                                                             this provision will be set forth in the final rule.\n\n115. Authority to Truncate Social Security Numbers\nSection 115        The FDIC is not required to issue regulations.            Amends FCRA Section 609(a)(1) by adding additional language\n                                                                             thereto.\n\n\n\n\n                                                                      21\n\x0c                                                                                                                            APPENDIX IV\n\n\nFACT Act Section                                                                          Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                    DSC Examination Procedures\n   Heading                                                                                     (OIG Comments Are in Bold)\n\nSubtitle B \xe2\x80\x93 Protection and Restoration of Identity Theft Victim Credit History\n151. Summary of Rights of Identity Theft Victims\nSection 151        FTC, in consultation with the federal banking agencies,     Amends FCRA Section 609 by adding Subsections (d) and (e),\n                   shall prepare a model summary of rights for fraud and       which contain detailed provisions regarding victims of identity\n                   identity theft victims. Final rule codified at 16 C.F.R.    theft. Section 609(d) requires FTC, in consultation with the\n                   Part 698; 69 FR 69776 (November 30, 2004).                  federal banking agencies, to prepare a model summary of\n                                                                               rights for fraud and identity theft victims. Financial\n                   Also contains a self-executing provision that requires,     institutions are required to distribute a summary of rights to\n                   within 30 days after receiving a request from an identity   identity theft victims. Section 609(e) is a self-executing\n                   theft victim, a business entity that has entered into a     provision that requires, within 30 days after receiving a request\n                   commercial transaction with a person, who has allegedly     from an identity theft victim, a business entity that has entered\n                   made unauthorized use of the means of identification of a   into a commercial transaction with a person, who has allegedly\n                   victim, shall provide a copy of the application and         made unauthorized use of the means of identification of a\n                   transaction records to: the victim, federal/state/local     victim, shall provide a copy of the application and transaction\n                   authorities, or any law enforcement agency investigating    records to: the victim, federal/state/local authorities, or any\n                   the identity theft and authorized by the victim to take     law enforcement agency investigating the identity theft and\n                   receipt of the records.                                     authorized by the victim to take receipt of the records. FCRA\n                                                                               Section 609(e) (9)(A) has reference to GLBA\xe2\x80\x99s privacy\n                                                                               provisions Subtitle A of Title V; and Section 609(e)(9)(B)\n                                                                               addresses law enforcement.\n\n                                                                               RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                               2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                               requirements of this provision and includes procedures to be\n                                                                               performed in compliance examinations beginning after\n                                                                               December 1, 2004 for the portion of this provision that was\n                                                                               effective June 4, 2004, which did not require the issuance of\n                                                                               regulations (self-executing).\n\n\n\n\n                                                                       22\n\x0c                                                                                                                                 APPENDIX IV\n\n\nFACT Act Section                                                                             Financial Institution Letters (FIL) and/or\n  Number and                      FDIC Rules and Regulations                                      DSC Examination Procedures\n   Heading                                                                                        (OIG Comments Are in Bold)\n152. Blocking of Information Resulting From Identity Theft\nSection 152         The FDIC is not required to issue regulations. The FTC       Adds Section 605B entitled, Block of Information Resulting from\n                    issued regulations on November 3, 2004.                      Identity Theft, to FCRA. FACT Act Section 112(b) requires\n                                                                                 FTC to issue regulations on what constitutes \xe2\x80\x9cappropriate\n                                                                                 proof of identity\xe2\x80\x9d for purposes of FCRA Sections 605A, 605B,\n                                                                                 and 609(a)(1).\n\n                                                                                 FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                                 Dates, dated December 13, 2004, provides an effective date of\n                                                                                 December 1, 2004 for this provision.\n\n153. Coordination of Identity Theft Complaint Investigations\nSection 153        The FTC published a Notice of FTC Publication in              Amends FCRA Section 621 by adding Subsection (f).\n                   70 Federal Register 21792 (April 27, 2005). Notice is\n                   effective as of May 2, 2005. The FTC, in consultation         RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                   with the federal banking agencies, shall develop a model      2003-Effective Dates, dated November 29, 2004, reiterates the\n                   form and procedures to be used by victims of identity theft   requirements of this provision and states that it will be reviewed\n                   to contact and inform creditors and consumer reporting        during IT examinations once final regulations are issued.\n                   agencies.\n154. Prevention of Repollution of Consumer Reports\nSection 154         The FDIC is not required to issue regulations.               FACT Act Section 154(a) amends FCRA Section 623(a) by\n                                                                                 adding paragraph (6), which applies to persons furnishing\n                                                                                 information to credit reporting agencies. FACT Act Section\n                                                                                 154(b) amends FCRA Section 615 by adding Subsection (f),\n                                                                                 which pertains to persons who sell, transfer, or place for\n                                                                                 collection debts after being notified of identity theft.\n\n                                                                                 RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                 2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                 requirements of this provision and includes a procedure to be\n                                                                                 performed in compliance examinations beginning after\n                                                                                 December 1, 2004.\n\n\n                                                                       23\n\x0c                                                                                                                            APPENDIX IV\n\n\nFACT Act Section                                                                         Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                   DSC Examination Procedures\n   Heading                                                                                    (OIG Comments Are in Bold)\n                                                                              FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                              Dates, dated December 13, 2004, provides an effective date of\n                                                                              December 1, 2004, for this self-executing provision.\n\n155. Notice by Debt Collectors With Respect to Fraudulent Information\nSection 155        The FDIC is not required to issue regulations.             Amends FCRA Section 615 by adding Subsection (g). Applies\n                                                                              to debt collectors acting on behalf of creditors or other users of\n                                                                              a consumer report.\n\n                                                                              RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                              2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                              requirements of this provision and includes a procedure to be\n                                                                              performed in compliance examinations beginning after\n                                                                              December 1, 2004.\n\n156. Statute of Limitations\nSection 156        The FDIC is not required to issue regulations.             Amends FCRA Section 618 by substituting revised language.\n\n157. Study on the Use of Technology to Combat Identity Theft\nSection 157        The FDIC is not required to issue regulations. The\n                   Secretary of the Treasury is to consult with the federal\n                   banking agencies on a study of technology used to combat\n                   identity theft 180 days after enactment of the FACT Act.\n\n\n\n\n                                                                     24\n\x0c                                                                                                                                APPENDIX IV\n\n\nFACT Act Section                                                                             Financial Institution Letters (FIL) and/or\n  Number and                       FDIC Rules and Regulations                                     DSC Examination Procedures\n   Heading                                                                                        (OIG Comments Are in Bold)\n                 TITLE II \xe2\x80\x93 IMPROVEMENTS IN USE OF AND CONSUMER ACCESS TO CREDIT INFORMATION\n211. Free Consumer Reports\nSection 211        The FDIC is not required to issue regulations. The FTC is Amends FCRA Sections 609(c) and 612(a) and adds Section 629\n                   required to issue regulations and a model summary of      entitled, Corporate and Technological Circumvention.\n                   consumer rights.\n\n212. Disclosure of Credit Scores\nSection 212        The FDIC is not required to issue regulations.                 Amends FCRA Sections 605(d), 609(c), and 625(b) and adds\n                                                                                  Subsections 609(f) and (g). The latter provision applies to\n                                                                                  mortgage lenders who use consumer credit reports. These\n                                                                                  lenders are required to provide a notice to loan applicants\n                                                                                  regarding credit scores.\n\n                                                                                  RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                  2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                  requirements of this provision and includes a procedure to be\n                                                                                  performed in compliance examinations beginning after\n                                                                                  December 1, 2004.\n\n                                                                                  FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                                  Dates, dated December 13, 2004, provides an effective date of\n                                                                                  December 1, 2004 for this self-executing provision.\n\n213. Enhanced Disclosure of the Means Available to Opt Out of Prescreened Lists\nSection 213        FTC to consult with federal banking agencies and NCUA          Amends FCRA Section 615(d)(2). Section 213(d) requires FTC\n                   to issue regulations on the format of notices for opting out   to wage public awareness campaign on the issue of opting out.\n                   of prescreened lists. Final rule at 70 Federal Register\n                   5022 (January 31, 2005). Final rule sets an effective date     RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                   of August 1, 2005.                                             2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                  requirements of this provision and states that it will be reviewed\n                                                                                  during compliance examinations once final regulations are issued.\n\n\n                                                                        25\n\x0c                                                                                                                                APPENDIX IV\n\n\nFACT Act Section                                                                             Financial Institution Letters (FIL) and/or\n  Number and                      FDIC Rules and Regulations                                      DSC Examination Procedures\n   Heading                                                                                        (OIG Comments Are in Bold)\n214. Affiliate Marketing\nSection 214(a)     The federal banking agencies, NCUA, and FTC (with              FACT Section 214(a) redesignates certain existing FCRA\nSpecial Rule for   respect to the entities that are subject to their respective   Sections and adds a new Section 624, to FCRA. Section 624\nSolicitation for   enforcement) and the Securities and Exchange                   deals with a limitation on affiliates\xe2\x80\x99 marketing efforts based on\nPurposes of        Commission (SEC) were required to issue final regulations      credit-report-type information shared by another affiliate and\nMarketing          no later than September 4, 2004, with an effective date no     includes notice requirements to the consumer.\n                   later than 6 months after issuance of the final regulations.\n                   Each agency was required to consult and coordinate with        FIL-82-2004, Affiliate Marketing Opt Out Regulations, dated\n                   each other to the extent possible to ensure the regulations    July 15, 2004, includes proposed rules and solicits comments from\n                   each agency issued are consistent and comparable. A            financial institutions that were due by August 16, 2004.\n                   proposed regulation was issued July 15, 2004.\n                                                                                  RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                  2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                  requirements of this provision and states that it will be reviewed\n                                                                                  during compliance examinations once final regulations are issued.\n                                                                                  The RDM also states that this provision will be effective within\n                                                                                  6 months after final regulations are issued.\n\nSection 214(e)     The federal banking agencies, NCUA, and FTC are                FACT Act Section 214(e) sets forth requirements for the\nStudies of         required to jointly conduct studies and initially report the   federal banking agencies, NCUA, and FTC to conduct regular\nInformation        results and any recommendations for legislative or             joint studies of consumer information-sharing practices of\nPractices          regulatory action to the Congress by December 4, 2006.         financial institutions.\n                   Follow-up reports are required at least once every 3 years\n                   thereafter.\n\n215. Study of Effects of Credit Scores and Credit-Based Insurance Scores on Availability and Affordability of Financial Products\nSection 215        The FDIC is not required to issue regulations. The Federal\n                   Reserve Board and FTC are required to consult with the\n                   Office of Fair Housing and Equal Opportunity to conduct a\n                   study and shall include input from relevant federal\n                   regulators.\n\n\n\n                                                                         26\n\x0c                                                                                                                                APPENDIX IV\n\n\nFACT Act Section                                                                            Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                      DSC Examination Procedures\n   Heading                                                                                       (OIG Comments Are in Bold)\n216. Disposal of Consumer Report Information and Records\nSection 216        Final rules codified at 12 C.F.R. Part 334.83 and 364.101. The FACT Act adds Section 628 entitled, Disposal of Records,\n                   Final regulation was published December 28, 2004 and       to FCRA. This Section requires persons who maintain\n                   became effective on July 1, 2005.                          consumer information to dispose of that information properly.\n\n                                                                                FIL-73-2004, Disposal of Consumer Information: Notice of\n                                                                                Proposed Rulemaking on Disposal of Consumer Information, dated\n                                                                                June 17, 2004, includes the proposed requirements and solicits\n                                                                                comments from financial institutions.\n\n                                                                                RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                requirements of this provision and states that it will be reviewed\n                                                                                during IT examinations after final regulations are issued.\n\n                                                                                FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                                Dates, dated December 13, 2004, states that the effective date for\n                                                                                this provision will be set forth in the final rule.\n\n                                                                                FIL-7-2005, Fair and Accurate Credit Transactions Act of 2003\n                                                                                Guidelines Requiring the Proper Disposal of Consumer\n                                                                                Information, dated February 2, 2005, includes the requirements for\n                                                                                financial institutions in ensuring compliance with the final rule.\n\n217. Model Disclosure for Furnishing Negative Information\nSection 217        The Federal Reserve is to issue a model disclosure that a    Amends FCRA Section 623(a) by adding new paragraph (7).\n                   financial institution may use to notify a consumer that it   Requires certain financial institutions that provide negative\n                   has furnished negative information to credit reporting       information about a consumer to a CRA to furnish a notice to\n                   agencies. Final rule codified at 12 C.F.R. Part 222;         the consumer.\n                   69 Federal Register 33281 (June 15, 2004).\n                                                                                RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                2003-Effective Dates, dated November 29, 2004, reiterates the\n\n\n                                                                        27\n\x0c                                                                                                                                 APPENDIX IV\n\n\nFACT Act Section                                                                             Financial Institution Letters (FIL) and/or\n  Number and                      FDIC Rules and Regulations                                      DSC Examination Procedures\n   Heading                                                                                        (OIG Comments Are in Bold)\n                                                                                 requirements of this provision and includes procedures to be\n                                                                                 performed in compliance examinations beginning after\n                                                                                 December 1, 2004.\n\n                      TITLE III \xe2\x80\x93 ENHANCING THE ACCURACY OF CONSUMER REPORT INFORMATION\n311. Risk Based Pricing Notice\nSection 311        The FDIC is not required to issue regulations.                Amends FCRA Section 615 by adding Subsection (h) requiring\n                                                                                 any person that uses a consumer report in granting credit on\n                                                                                 \xe2\x80\x9cmaterial terms that are materially less favorable than the most\n                                                                                 favorable terms available to a substantial portion of [certain]\n                                                                                 consumers\xe2\x80\x9d to provide an oral, written, or electronic notice to\n                                                                                 the consumer in the form required by the regulations.\n\n                                                                                 RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                 2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                 requirements of this provision and states that this provision will be\n                                                                                 reviewed during compliance examinations once final regulations\n                                                                                 are issued.\n\n                                                                                 FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                                 Dates, dated December 13, 2004, states that this provision becomes\n                                                                                 effective December 1, 2004, but the parameters for and date of\n                                                                                 compliance will be established in the final rule.\n\n312. Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies\nSection 312(a)     There is no statutory due date for issuance of final          RDM-2004-055, Fair and Accurate Credit Transactions Act of\nAccuracy           regulations. The federal banking agencies, NCUA, and          2003-Effective Dates, dated November 29, 2004, reiterates the\nGuidelines and     FTC, with respect to the entities that are subject to their   requirements of this provision and states that it will be reviewed\nRegulations        respective enforcement, are required to issue guidelines      during compliance examinations once final regulations are issued.\n                   and regulations regarding the accuracy and integrity of\n                   information provided to consumer reporting agencies.\n\n\n                                                                          28\n\x0c                                                                                                                               APPENDIX IV\n\n\nFACT Act Section                                                                            Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                      DSC Examination Procedures\n   Heading                                                                                       (OIG Comments Are in Bold)\n                   Each agency was required to consult and coordinate with       FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                   each other to the extent possible to ensure the regulations   Dates, dated December 13, 2004, states that the effective date for\n                   issued by each are consistent and comparable.                 this provision will be set forth in the final rule.\n\nSection 312(c)     There is no statutory due date for issuance of final          RDM-2004-055, Fair and Accurate Credit Transactions Act of\nAbility of         regulations. The federal banking agencies, NCUA, and          2003-Effective Dates, dated November 29, 2004, reiterates the\nConsumer to        FTC are required to jointly issue regulations regarding       requirements of this provision and states that it will be reviewed\nDispute            reinvestigations of disputes concerning the accuracy of       during compliance examinations after final regulations are issued.\nInformation        consumer-report information.\nDirectly With                                                                    FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\nFurnisher                                                                        Dates, dated December 13, 2004, states that the effective date for\n                                                                                 this provision will be set forth in the final rule.\n\n313. FTC and Consumer Reporting Agency Action Concerning Complaints\nSection 313        The FDIC is not required to issue regulations. The FTC        FACT Act 313(a) amends FCRA 611 by adding Subsection (e),\n                   and Federal Reserve Board are to jointly study how            which requires the FTC to compile complaints related to\n                   consumer agency and furnishers of information to credit       inaccurate or incomplete information.\n                   reporting agencies are complying with requirements\n                   related to disputed information. The progress report was\n                   due 1 year after the FACT Act\xe2\x80\x99s enactment.\n\n314. Improved Disclosure of the Results of Reinvestigation\nSection 314        The FDIC is not required to issue regulations.                RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                                 2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                                 requirements of this provision and includes procedures to be\n                                                                                 performed in compliance examinations beginning after\n                                                                                 December 1, 2004.\n\n\n\n\n                                                                        29\n\x0c                                                                                                                              APPENDIX IV\n\n\nFACT Act Section                                                                          Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                                    DSC Examination Procedures\n   Heading                                                                                     (OIG Comments Are in Bold)\n315. Reconciling Addresses\nSection 315        The federal banking regulators, NCUA, and FTC are to       Amends FCRA Section 605 by adding Subsection (h) regarding\n                   jointly issue regulations providing guidance regarding     the need for a CRA to notify a consumer about a discrepancy in\n                   policies and procedures that a user of a consumer report   the consumer\xe2\x80\x99s address in the CRAs\xe2\x80\x99 files.\n                   should employ when the user has received notice of a\n                   discrepancy in a consumer\xe2\x80\x99s address. The FACT Act does     RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                   not provide a statutory due date for issuance of the       2003-Effective Dates, dated November 29, 2004, reiterates the\n                   regulations.                                               requirements of this provision and states that this provision will be\n                                                                              reviewed during compliance examinations after final regulations\n                                                                              are issued.\n\n                                                                              FIL-130-2004, Fair and Accurate Credit Transactions Act Effective\n                                                                              Dates, dated December 13, 2004, states that the effective date for\n                                                                              this provision will be set forth in the final rule.\n\n316. Notice of Dispute Through Reseller\nSection 316        The FDIC is not required to issue regulations.\n\n317. Reasonable Reinvestigations Required\nSection 317        The FDIC is not required to issue regulations.             Amends FCRA Section 611(a)(1)(A) regarding reinvestigations.\n\n318. FTC Study of Issues Relating to the Fair Credit Reporting Act\nSection 318       The FDIC is not required to issue regulations. FTC is to\n                  study ways to improve the operations of FCRA. The\n                  report was due 1 year after the FACT Act\xe2\x80\x99s enactment.\n\n319. FTC Study of Accuracy of Consumer Reports\nSection 319       The FDIC is not required to issue regulations. FTC is to\n                  study the accuracy and completeness of information in\n                  consumer reports prepared by CRAs. An interim report\n\n\n\n                                                                     30\n\x0c                                                                                                                            APPENDIX IV\n\n\nFACT Act Section                                                                         Financial Institution Letters (FIL) and/or\n  Number and                    FDIC Rules and Regulations                                    DSC Examination Procedures\n   Heading                                                                                    (OIG Comments Are in Bold)\n                   was due 1 year after the FACT Act\xe2\x80\x99s enactment and every\n                   2 years thereafter for 8 years. The final report is due\n                   2 years after the last interim report.\n\n          TITLE IV \xe2\x80\x93 LIMITING THE USE AND SHARING OF MEDICAL INFORMATION IN THE FINANCIAL SYSTEM\n411. Protection of Medical Information in the Financial System\nSection 411        Final rules codified at 12 C.F.R. Part 334 and published in FACT Act Section 411(a) amends FCRA Section 604(g) by\n                   the Federal Register on November 22, 2005.                  placing limitations on CRAs and creditors with respect to the\n                                                                               use of medical information about consumers and the\n                                                                               redisclosure of that information by any person.\n\n                                                                             FIL-47-2004, Medical Privacy Regulations Under the Fair and\n                                                                             Accurate Credit Transactions Act of 2003, dated April 28, 2004,\n                                                                             includes proposed rules and solicits comments from financial\n                                                                             institutions that were due by May 28, 2004.\n\n                                                                             RDM-2004-055, Fair and Accurate Credit Transactions Act of\n                                                                             2003-Effective Dates, dated November 29, 2004, reiterates the\n                                                                             requirements of this provision and includes procedures to be\n                                                                             performed in compliance examinations beginning after\n                                                                             December 1, 2004. The RDM also states that implementing rules\n                                                                             defining exceptions will become effective after final regulations are\n                                                                             issued.\n\n                                                                             FIL-51-2005, Fair Credit Reporting Medical Information Interim\n                                                                             Final Rules, dated June 16, 2005 includes interim final rules that\n                                                                             will take effect on March 7, 2006, and solicits comments from\n                                                                             financial institutions that were due by July 11, 2005.\n\n\n\n\n                                                                     31\n\x0c                                                                                                                       APPENDIX IV\n\n\nFACT Act Section                                                                     Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                               DSC Examination Procedures\n   Heading                                                                                (OIG Comments Are in Bold)\n                                                                          FIL-121-2005, Fair Credit Reporting \xe2\x80\x93 Medical Information Final\n                                                                          Rules, dated December 8, 2005, includes the final rules that will\n                                                                          take effect on April 1, 2006.\n\n412. Confidentiality of Medical Contact Information in Consumer Reports\nSection 412        The FDIC is not required to issue regulations.\n\n                                TITLE V \xe2\x80\x93 FINANCIAL LITERACY AND EDUCATION IMPROVEMENT\n511. Short Title\nSection 511        The FDIC is not required to issue regulations.\n\n512. Definitions\nSection 512        The FDIC is not required to issue regulations.\n\n513. Establishment of Financial Literacy and Education Commission\nSection 513        The FDIC is not required to issue regulations.\n\n514. Duties of the Commission\nSection 514        The FDIC is not required to issue regulations.\n\n515. Powers of the Commission\nSection 515        The FDIC is not required to issue regulations.\n\n516. Commission Personal Matters\nSection 516        The FDIC is not required to issue regulations.\n\n517. Studies by the Comptroller General\nSection 517        The FDIC is not required to issue regulations.\n\n\n\n                                                                    32\n\x0c                                                                                                                    APPENDIX IV\n\n\nFACT Act Section                                                                   Financial Institution Letters (FIL) and/or\n  Number and                     FDIC Rules and Regulations                             DSC Examination Procedures\n   Heading                                                                              (OIG Comments Are in Bold)\n518. The National Public Service Multimedia Campaign to Enhance the State of Financial Literacy\nSection 518        The FDIC is not required to issue regulations.\n\n519. Authorization of Appropriations\nSection 519        The FDIC is not required to issue regulations.\n\n                              TITLE VI \xe2\x80\x93 PROTECTING EMPLOYEE MISCONDUCT INVESTIGATIONS\n611. Certain Employee Investigation Communications Excluded From Definition of Consumer Report\nSection 611        The FDIC is not required to issue regulations.\n\n                                                TITLE VII \xe2\x80\x93 RELATION TO STATE LAWS\n711. Relation to State Laws\nSection 711        The FDIC is not required to issue regulations.\n\n                                                      TITLE VIII \xe2\x80\x93 MISCELLANEOUS\n811. Clerical Amendments\nSection 811        The FDIC is not required to issue regulations.\n\n\n\n\n                                                                    33\n\x0cAppendix V\n\x0c                       APPENDIX V\n\n\nCORPORATION COMMENTS\n\n\n\n\n         35\n\x0c                                                  MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n     This table presents the management response on the recommendations in our report and the status of the recommendations as of the date\n     of report issuance.\n                                                                                                                                                          Open\n      Rec.                                                                                      Expected              Monetary         Resolved:a          or\n     Number                 Corrective Action: Taken or Planned/Status                       Completion Date          Benefits         Yes or No         Closedb\n                    DSC concurred with the intent of the recommendation. DSC\n            1       will issue examination guidance that addresses FACT Act\n                    provisions for which final rules and regulations have been\n                    issued or that are self-executing by year-end 2006. For areas\n                    to be covered by compliance examinations, procedures that                December 31, 2006           None              Yes            Open\n                    include the self-executing FACT Act provisions have been\n                    approved by the FFIEC Consumer Compliance Task Force.\n                    They are being formally distributed to both examiners and the\n                    industry through an RDM and a FIL.\n36\n\n\n\n\n                    DSC concurred with the intent of the recommendation.\n            2       According to DSC, the FDIC is actively participating in and\n                    is committed to expediting the interagency process to issue\n                    final rules and regulations for all FACT Act provisions. As              December 31, 2006           None              Yes            Open\n                    a member of the separate working groups responsible for\n                    drafting each set of rules or guidelines, the FDIC has\n                    consistently made efforts to move the process forward and\n                    will continue to promote expedited processes.\n     a\n         Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                   (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                   (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                       as management provides an amount.\n     b\n         Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\x0c'